Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

MT iOS winbox app not connecting

Mon Jan 30, 2023 9:01 pm

I have a hAPax3 connected to a hEX.

When my iPhone is connected via wifi to the hap, I cannot connect using the iOS MT winbox app to connect to the hap or the hex.

If I connect to another AP also connected directly to the hex (not an MT device) I can connect just fine using the MT app.

On the hap, there is only an allow firewall for all incoming packets.

I have mac-server set to allow access via all interfaces.

Anyone have any suggestions?

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Mon Jan 30, 2023 10:31 pm

You know the drill.
/config on both.............

Remember anything you say is pure conjecture and opinion unless backed up by facts :-)
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Mon Jan 30, 2023 11:09 pm

You know the drill.
/config on both.............

Remember anything you say is pure conjecture and opinion unless backed up by facts :-)
I do indeed :)

While you're looking at the config, the wifi stability when using 802.11ax on 5ghz was so bad (repeated disconnects) that I had to change it to A/N. I also lowered the bandwidth to 20/40. Not sure which change helped, but now only a couple of stations repeatedly get "disconnected" and "connected" (as opposed to all stations with X and 20/40/80.

Thanks!

# jan/30/2023 16:01:58 by RouterOS 7.7
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxC
/interface bridge
add admin-mac=48:xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="To hEX" poe-out=off
set [ find default-name=ether3 ] comment=TV
set [ find default-name=ether4 ] comment=TV
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-n .skip-dfs-channels=all \
.width=20/40mhz configuration.mode=ap .ssid=Upstairs5g-0F0493 disabled=no \
security.authentication-types=wpa2-psk .passphrase=PASS
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=all \
.width=20/40mhz configuration.mode=ap .ssid=Upstairs-2G-0F0494 disabled=\
no security.authentication-types=wpa2-psk .passphrase=PASS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL-JRS
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes query-server-timeout=5s servers=192.168.2.4
/ip dns static
add address=192.168.2.5 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN log=yes
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=main \
suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=hAP-Ax3
/system ntp client
set enabled=yes mode=broadcast
/system ntp client servers
add address=time-e-g.nist.gov
/system script
add dont-require-permissions=no name=export-download owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global nowdate do={\r\
\n /system clock\r\
\n :local vdate [get date]\r\
\n :local yyyy [:pick \$vdate 7 11]\r\
\n :local M ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGEPC\
TOVEC\" [:pick \$vdate 1 3] -1] / 2); :if (\$M>12) do={:set M (\$M - 12)}\
\r\
\n :local MM [:pick \"0\$M\" 1 3]\r\
\n :local dd [:pick \$vdate 4 6]\r\
\n :return \"\$yyyy-\$MM-\$dd\"\r\
\n}\r\
\n\r\
\n# for v6\r\
\n#/export file=\"212hapex3-\$[\$nowdate]\"\r\
\n\r\
\n# for v7\r\
\n/export show-sensitive file=\"212hapex3-\$[\$nowdate]\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/212hapex3-\$[\$nowd\
ate].rsc\" dst-path=\"/mikrotik-backups/212hapex3-\$[\$nowdate].rsc\" addr\
ess=192.168.2.22 port=21 user=mikrotik password=xxxxxx\r\
\n\r\
\n/file remove \"212hapex3-\$[\$nowdate]\"\r\
\n"
/tool mac-server
set allowed-interface-list=ALL-JRS
/tool mac-server mac-winbox
set allowed-interface-list=ALL-JRS
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=ether3,ether2,ether4,ether5
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Mon Jan 30, 2023 11:23 pm

where is the hex,,,,,,,,,, the hapax needs no firewall rules by the way.............
So you only have one subnet on hex and hapax ?? no guest wifi etc.........
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Mon Jan 30, 2023 11:49 pm

where is the hex,,,,,,,,,, the hapax needs no firewall rules by the way.............
So you only have one subnet on hex and hapax ?? no guest wifi etc.........
Do you mean send the hEX config?

So I can just remove all the firewall rules in the hapax?

No gues wifi for now.

Here's the hEX (everything is a work in progress, so go easy on me please).

I can cut out some sections so it's shorter and easier to read if that would help.

# jan/30/2023 16:43:02 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = HxxxxQ
/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface vlan
add interface=ether2 name=TEST-VLAN-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=4w2d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxx"
add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371 SITE B" \
    endpoint-address=xxxxxx.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxxx"
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
    disabled=yes endpoint-address=xxxxxxx.dyndns.org endpoint-port=54820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxx="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 Site C" endpoint-address=xxxxxx.dyndns.org endpoint-port=53820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxx"
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxx="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment="629 SITE E" \
    endpoint-address=xxxxxx.dyndns.org endpoint-port=51812 interface=\
    212-Wireguard persistent-keepalive=40s public-key=\
    "xxxxxxxo="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=172.16.0.1/24 interface=TEST-VLAN-10 network=172.16.0.0
add address=192.168.1.111/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.100 mac-address=xxxxx8 server=defconf
add address=192.168.2.102 mac-address=xxxxx4 server=defconf
add address=192.168.2.101 mac-address=xxxxxxF server=defconf
add address=192.168.2.103 mac-address=xxxxxx4B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
    192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6w cache-size=65536KiB servers=\
    10.0.0.2
/ip firewall address-list
add address=xxxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin
/ip firewall filter
add action=accept chain=input disabled=yes log=yes src-address=192.168.1.1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="BLOCK DHCP VIA WG" in-interface=\
    212-Wireguard log=yes port=67-68 protocol=udp
add action=accept chain=input src-address-list=admin
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward dst-address=10.0.0.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" out-interface=212-Wireguard
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" dst-address-list=dynamic-WANIP \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
    192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
/ip route
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name="212 Hex"
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system scheduler
add interval=1d name=Daily on-event=dyndns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/18/2022 start-time=02:00:00
add disabled=yes interval=10m name=Route355255371 on-event=\
    "355 255 371 route status" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/24/2022 start-time=04:42:54
add interval=4d name=export-download on-event=export-download policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/14/2022 start-time=04:47:33
add interval=30m name="355 255 371 629 Route Status" on-event=\
    "355 255 371 629 Route Status" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2023 start-time=16:22:48
/system script
add dont-require-permissions=no name=DynDNS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Set needed variables\r\
    \n\t:local username \"xxxxx\"\r\
    \n\t:local clientkey \"xxx8bc3\"\r\
    \n\t:local hostname \"xxxxxx.dyndns.org\"\r\
    \n\r\
    \n\t:global dyndnsForce\r\
    \n\t:global previousIP\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
    t-path=\"/dyndns.checkip.html\"\r\
    \n\t:delay 1\r\
    \n\t:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n\t:local resultLen [:len \$result]\r\
    \n\t:local startLoc [:find \$result \": \" -1]\r\
    \n\t:set startLoc (\$startLoc + 2)\r\
    \n\t:local endLoc [:find \$result \"</body>\" -1]\r\
    \n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details https://help.dyn.com/remote-access\
    -api/perform-update/\r\
    \n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
    \n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
    date on\" }\r\
    \n\r\
    \n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n\t\t:set dyndnsForce false\r\
    \n\t\t:set previousIP \$currentIP\r\
    \n\r\
    \n\t\t/tool fetch mode=https \\\r\
    \n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
    ostname=\$hostname&myip=\$currentIP\" \\ \r\
    \n\t\tdst-path=\"/dyndns.txt\"\r\
    \n\r\
    \n\t\t:delay 1\r\
    \n\t\t:local result [/file get dyndns.txt contents]\r\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
    \n\t} else={\r\
    \n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n\t}"
add dont-require-permissions=no name="355 255 371 629 Route Status" owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
    \r\
    \n:global prevstatus355;\r\
    \n:global updown355;\r\
    \n:global status355 [:ip route get value-name=active [:ip route find comme\
    nt=\"355\"]]\r\
    \n\r\
    \n:log info (\"status355 is \$status355\");\r\
    \n:log info (\"prevstatus355 is \$prevstatus355\");\r\
    \n\r\
    \n:if ( \"\$status355\" = true ) do={:set updown355 UP} else= {:set updown\
    355 DOWN}\r\
    \n\r\
    \n:log info (\"updown355 is \$updown355\");\r\
    \n\r\
    \n:if ( \"\$status355\" != \"\$prevstatus355\" ) do={ \r\
    \n\r\
    \n:log warn \"355 connectivity is now \\\"\$updown355\\\" \";\r\
    \n:tool e-mail send to=xxxxxxx.com subject=\"355 Connectivity n\
    ow \\\"\$updown355\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
    stem clock get time ] . \" 355 connectivity changed status from \\\"\$prev\
    status355\\\" -> \\\"\$updown355\\\" \" )\r\
    \n\r\
    \n:set prevstatus355 \$status355\r\
    \n\r\
    \n}\r\
    \n\r\
    \n\r\
    \n:global prevstatus371;\r\
    \n:global updown371;\r\
    \n:global status371 [:ip route get value-name=active [:ip route find comme\
    nt=\"371\"]]\r\
    \n\r\
    \n:log info (\"status371 is \$status371\");\r\
    \n:log info (\"prevstatus371 is \$prevstatus371\");\r\
    \n\r\
    \n:if ( \"\$status371\" = true ) do={:set updown371 UP} else= {:set updown\
    371 DOWN}\r\
    \n\r\
    \n:log info (\"updown371 is \$updown371\");\r\
    \n\r\
    \n:if ( \"\$status371\" != \"\$prevstatus371\" ) do={ \r\
    \n\r\
    \n:log warn \"371 connectivity is now \\\"\$updown371\\\" \";\r\
    \n:tool e-mail send to=xxxxx subject=\"371 Connectivity n\
    ow \\\"\$updown371\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
    stem clock get time ] . \" 371 connectivity changed status from \\\"\$prev\
    status371\\\" -> \\\"\$updown371\\\" \" )\r\
    \n\r\
    \n:set prevstatus371 \$status371\r\
    \n\r\
    \n}\r\
    \n\r\
    \n\r\
    \n:global prevstatus255;\r\
    \n:global updown255;\r\
    \n:global status255 [:ip route get value-name=active [:ip route find comme\
    nt=\"255\"]]\r\
    \n\r\
    \n:log info (\"status255 is \$status255\");\r\
    \n:log info (\"prevstatus255 is \$prevstatus255\");\r\
    \n\r\
    \n:if ( \"\$status255\" = true ) do={:set updown255 UP} else= {:set updown\
    255 DOWN}\r\
    \n\r\
    \n:log info (\"updown255 is \$updown255\");\r\
    \n\r\
    \n:if ( \"\$status255\" != \"\$prevstatus255\" ) do={ \r\
    \n\r\
    \n:log warn \"255 connectivity is now \\\"\$updown255\\\" \";\r\
    \n:tool e-mail send to=xxxxxx.com subject=\"255 Connectivity n\
    ow \\\"\$updown255\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
    stem clock get time ] . \" 255 connectivity changed status from \\\"\$prev\
    status255\\\" -> \\\"\$updown255\\\" \" )\r\
    \n\r\
    \n:set prevstatus255 \$status255\r\
    \n\r\
    \n}\r\
    \n\r\
    \n\r\
    \n\r\
    \n:global prevstatus629;\r\
    \n:global updown629;\r\
    \n:global status629 [:ip route get value-name=active [:ip route find comme\
    nt=\"629\"]]\r\
    \n\r\
    \n:log info (\"status629 is \$status629\");\r\
    \n:log info (\"prevstatus629 is \$prevstatus629\");\r\
    \n\r\
    \n:if ( \"\$status629\" = true ) do={:set updown629 UP} else= {:set updown\
    629 DOWN}\r\
    \n\r\
    \n:log info (\"updown629 is \$updown629\");\r\
    \n\r\
    \n:if ( \"\$status629\" != \"\$prevstatus629\" ) do={ \r\
    \n\r\
    \n:log warn \"629 connectivity is now \\\"\$updown629\\\" \";\r\
    \n:tool e-mail send to=xxxxxx subject=\"629 Connectivity n\
    ow \\\"\$updown629\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
    stem clock get time ] . \" 629 connectivity changed status from \\\"\$prev\
    status629\\\" -> \\\"\$updown629\\\" \" )\r\
    \n\r\
    \n:set prevstatus629 \$status629\r\
    \n\r\
    \n}\r\
    \n\r\
    \n\r\
    \n}\r\
    \n"
add dont-require-permissions=no name=GetIP owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    interface bridge host\r\
    \n:foreach item in=[find] do={\r\
    \n    :local iface  [get \$item interface]\r\
    \n    :local macadd [get \$item mac-address]\r\
    \n    :local idmac  [/ip arp find where mac-address=\$macadd]\r\
    \n    :if ([:len \$idmac] = 1) do={\r\
    \n        :local ifip [/ip arp get \$idmac address]\r\
    \n        :put   \"interface=\$iface mac=\$macadd ip=\$ifip\"\r\
    \n    }\r\
    \n}"
add dont-require-permissions=no name="New route UP" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global prevstatus355\r\
    \n{\r\
    \n    /ip route\r\
    \n    :local status355 [get [find where comment=\"355\"] active]\r\
    \n    :if (\$status355) do={:set status355 \"UP\"} else={:set status355 \"\
    DOWN\"}\r\
    \n    :log info \"status355 is \$status355 and prevstatus355 is \$prevstat\
    us355\"\r\
    \n    :if (\$status355 != \$prevstatus355) do={ \r\
    \n        :log warning \"355 connectivity is now \$status355\"\r\
    \n        /tool e-mail send to=xxxxx subject=\"355 Connec\
    tivity is now \$status355\" \\\r\
    \n                     body=\"\$[/system clock get date] \$[/system clock \
    get time] 355 connectivity changed status \$prevstatus355 -> \$status355\"\
    \r\
    \n        :set prevstatus355 \$status355\r\
    \n    }\r\
    \n}\r\
    \n"
add dont-require-permissions=no name="Upload config" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="t\
    ool fetch address=192.168.2.22 src-path=212hex-12-9-2022.rsc user=mikrotik\
    \_mode=ftp passwo\r\
    \nrd=mikrotik dst-path=212hex-12-9-92022.rsc port=21 host=\"\" upload=yes\
    \r\
    \n"
add dont-require-permissions=no name=export-download owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global nowdate do={\r\
    \n    /system clock\r\
    \n    :local vdate [get date]\r\
    \n    :local yyyy  [:pick \$vdate 7 11]\r\
    \n    :local M     ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGEPC\
    TOVEC\" [:pick \$vdate 1 3] -1] / 2); :if (\$M>12) do={:set M (\$M - 12)}\
    \r\
    \n    :local MM    [:pick \"0\$M\"  1  3]\r\
    \n    :local dd    [:pick \$vdate 4  6]\r\
    \n    :return \"\$yyyy-\$MM-\$dd\"\r\
    \n}\r\
    \n\r\
    \n# for v6\r\
    \n#/export file=\"212hex-\$[\$nowdate]\"\r\
    \n\r\
    \n# for v7\r\
    \n/export show-sensitive file=\"212hex-\$[\$nowdate]\"\r\
    \n\r\
    \n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/212hex-\$[\$nowdate\
    ].rsc\" dst-path=\"/mikrotik-backups/212hex-\$[\$nowdate].rsc\" address=19\
    2.168.2.22 port=21 user=mikrotik password=xxxxxxxx\r\
    \n\r\
    \n/file remove \"212hex-\$[\$nowdate]\"\r\
    \n"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.gmail.com from=xxxxxxx port=587 tls=starttls \
    user=xxxxxx
/tool graphing interface
add interface=bridge
add interface=bridge
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=212 disabled=no down-script="" host=10.10.100.1 http-codes="" \
    test-script="" type=simple up-script=""
add comment=371 disabled=no down-script="" host=10.10.100.2 http-codes="" \
    test-script="" type=simple up-script=""
add comment=355 disabled=no down-script="" host=10.10.100.3 http-codes="" \
    test-script="" type=simple up-script=""
add comment=255 disabled=no down-script="" host=10.10.100.4 http-codes="" \
    test-script="" type=simple up-script=""
add disabled=no down-script="" host=10.10.100.5 http-codes="" test-script="" \
    type=simple up-script=""
add comment=LAPTOP disabled=no down-script="" host=10.10.100.8 http-codes="" \
    test-script="" type=simple up-script=""
add comment=iPhone disabled=no down-script="" host=10.10.100.9 http-codes="" \
    test-script="" type=simple up-script=""
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-ip-address=192.168.1.1/32 memory-limit=\
    10000KiB
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 6:43 pm

HEX
/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add ( You still have this sticking around LOL................... need to remove it. )
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\ { not required as its the client device peer setting that needs keep alive setting }
"xxxxxx"
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \ { same comment not required for client peer }
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx="


NOTE: Assuming all the peers that are "SITES" for allowed IPs, eventually will be able to initiate a WG connection as well (so all sites need to have publically accessible WANIPs) and this explains why you have the keep alive and endpoint addresses entered ?? }

Ex. add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371 SITE B" \
endpoint-address=xxxxxx.dyndns.org endpoint-port=52820 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxxxx"


/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=172.16.0.1/24 interface=TEST-VLAN-10 network=172.16.0.0
add address=192.168.1.111/24 interface=bridge network=192.168.1.0 { what is this for ?? overlaps with site D?)
/ip firewall filter
add action=accept chain=input in-interface-list=LAN ***
add action=accept chain=input comment="BLOCK DHCP VIA WG" in-interface=\ { what is the purpose of this rule ?? }
212-Wireguard log=yes port=67-68 protocol=udp

add action=accept chain=input src-address-list=admin { This is useless as you let LAN interface list access above Silly *** }
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward dst-address=10.0.0.0/24 { WHAT IS THE PURPOSE OF THIS RULE AND WHY BEFORE OTHER DEFAULT RULES }
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard src-address=192.168.2.0/24
add action=drop chain=forward
/ip firewall mangle { are you sure this is required ??? }
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" dst-address-list=dynamic-WANIP \
new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \ { no matching Wireguard Peer ?? }
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \ { what is the purpose of this rule ??? }
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 6:56 pm

Aim,
a. fix hex,
b. fix ax3,
c. then look at IOS problem
[ presumably a+b will solve c anyway ;-) ]
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 7:44 pm

My responses to the hEX config are in capital letters.

REMOVED:
/interface list
ADD

I WOULD LIKE TO KEEP THIS FOR NOW:
/ip neighbor discovery-settings
set discover-interface-list=all


GOOD POINT ABOUT THE CLIENT DEVICE KEEPING THE TUNNEL ALIVE. I WILL REMEMBER THAT.
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx"
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx="



REMOVED. I HAD THIS HERE BECAUSE I'M STILL STRUGGLING WITH THE G3100 VERIZON ROUTER. I'VE ORDERED A MOCA ADAPTER TO REPLACE IT.
/ip address
add address=192.168.1.111/24 interface=bridge network=192.168.1.0


REMOVED. I DON'T KNOW WHY THAT IS THERE BUT IT MIGHT BE PART OF MY FIOS ROUTER FIX ATTEMPT.
/ip firewall filter
add action=accept chain=input comment="BLOCK DHCP VIA WG" in-interface=\
212-Wireguard log=yes port=67-68 protocol=udp


I'M UNCLEAR: THERE ARE INTERFACE LISTS, FIREWALL ADDRESS LISTS, and IP ADDRESS LISTS. THIS FIREWALL REFERENCES "SRN-ADDRESS-LIST=ADMIN" WHICH LIST IS THIS TAKEN FROM?
add action=accept chain=input src-address-list=admin


I DON'T KNOW BUT IT HAS ACTIVITY. PERHAPS IT ALLOWS THE WG SESSIONS WHICH HAVE 10.10.100.x PEERS?
add action=accept chain=forward dst-address=10.0.0.0/24


I UNDERSTAND THAT ADDING "SRC-ADDRESS=192.168.2.0/24" IS MORE RESTRICTIVE BUT WOULD NOT INTERFERE WITH THAT I AM DOING, BUT WHY ADD IT?
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard


192.168.5.0/24 IS ONE OF THE 2 SUBNETS AT THE WG PEER "355 SITE C"
/ip route
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10


I DON'T KNOW. 192.168.2.4 IS A RB5009 THAT I HAVE DOING NOTHING OTHER THAN PI-HOLE FOR NOW.
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

See anything interesting in the hapax3 config?

Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 9:40 pm

[quote=Josephny post_id=981286 time=1675187069 user_id=205935]

REMOVED:
/interface list
ADD

GOOD!

I WOULD LIKE TO KEEP THIS FOR NOW:
/ip neighbor discovery-settings
set discover-interface-list=all

You dont understand, the discovery settings are mostly to detect other mikrotik devices for wifi or any other managed devices for that matter in the trusted subnet.
Since you include all in MANAGE, there is nothing gained by stating =all. It makes no difference at this point either way.


GOOD POINT ABOUT THE CLIENT DEVICE KEEPING THE TUNNEL ALIVE. I WILL REMEMBER THAT.

Can you confirm all the other SiTES are just clients for initial connection> Plan to make it two way later?

REMOVED. I HAD THIS HERE BECAUSE I'M STILL STRUGGLING WITH THE G3100 VERIZON ROUTER. I'VE ORDERED A MOCA ADAPTER TO REPLACE IT.
/ip address
add address=192.168.1.111/24 interface=bridge network=192.168.1.0

GOOD

REMOVED. I DON'T KNOW WHY THAT IS THERE BUT IT MIGHT BE PART OF MY FIOS ROUTER FIX ATTEMPT.
/ip firewall filter
add action=accept chain=input comment="BLOCK DHCP VIA WG" in-interface=\
212-Wireguard log=yes port=67-68 protocol=udp

GOOD

I'M UNCLEAR: THERE ARE INTERFACE LISTS, FIREWALL ADDRESS LISTS, and IP ADDRESS LISTS. THIS FIREWALL REFERENCES "SRN-ADDRESS-LIST=ADMIN" WHICH LIST IS THIS TAKEN FROM?
add action=accept chain=input src-address-list=admin

Its all about understanding.......... You include all possible addresses by using in-interface-list=LAN interface. Remember the LAN interface includes any incoming wireguard traffic ( as wireguard was added to LAN list ) and the local subnet traffic, so nothing is changed when you use the address list. On a bone to pick dont ever claim. thats an admin list when an admin list implies a few IPs that the admiin will use to access the router, I would name the list EVERYBODYINCLUDINGTHEDOGSBREAKFASTHASACCESSTOMYROUTER

Interface list should be used when you have two or more subnets that have similar needs in terms of firewall rules that are distinct from the LAN interface list.
An exception is we make an interface list of MANAGE often just for the one trusted subnet.
Address lists are best used when you have a few users or groups of users within a subnet or any of the previous as well as whole subnets that have the same firewall rules requirements.
IP address lists dont apply here, other than to say if a firewall rule involved a single subnet, you dont need interface list or firewall address list just use dst- or src- address and put down the subnet.


I DON'T KNOW BUT IT HAS ACTIVITY. PERHAPS IT ALLOWS THE WG SESSIONS WHICH HAVE 10.10.100.x PEERS?
add action=accept chain=forward dst-address=10.0.0.0/24

Of course it will have activity because of its placement but if you remove the rule nothing will change it is not needed.
What it says is that allow any source traffic to pass if heading to the wireguard subnet...........

rule1 - "Allow local subnet traffic to WG peers" out-interface=212-Wireguard src-address=192.168.2.0/24
add action=drop chain=forward

Allows any traffic coming from the subnet to enter the tunnel!! Thus if any user tries to contact any wireguard peer by its wireguard address the router will say I know the route there, and the firewall rules will say yeah that traffic is allowed to go there.

rule2 - add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard

Allows any traffic coming from the tunnel to renter the tunnel. Thus if a peer wants to contact another peer by its wireguard address, the router will say, I know the route to get back into the tunnel and the firewall says, yeah that traffic is allowed to exit the tunnel and renter the tunnel........

Bottom line you should remove the vague (too wide open) and poorly placed rule.

I UNDERSTAND THAT ADDING "SRC-ADDRESS=192.168.2.0/24" IS MORE RESTRICTIVE BUT WOULD NOT INTERFERE WITH THAT I AM DOING, BUT WHY ADD IT?
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard

Good practice is to ONLY allow traffic needed. Unintended consequences occur when you get sloppy and leave either the dst or source of intended traffic. Its also very much clearer to any reader what you are doing and thus can follow the logic. Granted there are times where it may be acceptable/efficient or okay. In your case its okay, I would never do it as If add anything else to the router I have to remember then to close off access to wireguard because of the open ended rule.......... like I said not a preferred practice for good reason.

192.168.5.0/24 IS ONE OF THE 2 SUBNETS AT THE WG PEER "355 SITE C"
MY BAD I didnt notice it

I DON'T KNOW. 192.168.2.4 IS A RB5009 THAT I HAVE DOING NOTHING OTHER THAN PI-HOLE FOR NOW.
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

Makes no sense to me........??? I would disable it for now. Also I can send you my raspberry pi if you send me your rb5009. Fair trade! ;-)
[/quote]
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 10:02 pm

Looking at the ax3, assuming one of the ether ports on the hex is the WAN port for the AX3.........

# jan/30/2023 16:01:58 by RouterOS 7.7
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxC
/interface bridge
add admin-mac=48:xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="To hEX" poe-out=off
set [ find default-name=ether3 ] comment=TV
set [ find default-name=ether4 ] comment=TV
/interface list
name=TRUSTED
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
{ not convinced this line is needed but added just in case }
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 { just remove this line altogether }
/ip dns
set allow-remote-requests=yes query-server-timeout=5s servers=192.168.2.2 { your rb5009 pihole should be removed whilst getting this working }
/ip dns static { remove this line }
add address=192.168.2.5 comment=defconf name=router.lan
REMOVE ALL FW AND NAT RULES
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=main \
suppress-hw-offload=no
REMOVED ALL IPV6 rules.
/system ntp client {WRONG APP:ROACH - set NTP client on HEX with servers to the xternal and then simply enable Server mode. On this device you put 192.168.2.2 as the client server.}
set enabled=yes mode=broadcast
/system ntp client servers
add address=time-e-g.n
ist.gov
/tool mac-server
set allowed-interface-list=NONE ( not secure should not be used! )
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Last edited by anav on Sun Dec 10, 2023 5:21 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 10:11 pm

Going back to the hex. The RB is not implemented properly for pihole so remove for now......... Its getting in the way needlessly.

I have TWO other concerns on the hex now...............probably forgotten memory issues LOL.

(1) This doesnt look right!

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
192.168.2.2 netmask=24


Why did you put 10.0.0.2 ????????? Its not any interface on the router? Furthermore nothing to do with your pihole IP address either.

Replace with........... for now........
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
192.168.2.2 netmask=24

(2) What the heck is this router for........... there is no 10.0.0.0 network anywhere on your interface....... I suspect it has something to do with DNS and RB again. As I said, this thing is a cancerous boil that should be excised until we get the basic stuff working!!!
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10



PS I did confirm you are missing setting up NTP Server (enable it on Hex)..................
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 11:29 pm


I WOULD LIKE TO KEEP THIS FOR NOW:
/ip neighbor discovery-settings
set discover-interface-list=all
You dont understand, the discovery settings are mostly to detect other mikrotik devices for wifi or any other managed devices for that matter in the trusted subnet.
Since you include all in MANAGE, there is nothing gained by stating =all. It makes no difference at this point either way.

Got it -- thank you.


GOOD POINT ABOUT THE CLIENT DEVICE KEEPING THE TUNNEL ALIVE. I WILL REMEMBER THAT.
Can you confirm all the other SiTES are just clients for initial connection> Plan to make it two way later?

No, I cannot confirm that. I would like the other sites to be able to initiate a connection also.


I'M UNCLEAR: THERE ARE INTERFACE LISTS, FIREWALL ADDRESS LISTS, and IP ADDRESS LISTS. THIS FIREWALL REFERENCES "SRN-ADDRESS-LIST=ADMIN" WHICH LIST IS THIS TAKEN FROM?
add action=accept chain=input src-address-list=admin
Its all about understanding.......... You include all possible addresses by using in-interface-list=LAN interface. Remember the LAN interface includes any incoming wireguard traffic ( as wireguard was added to LAN list ) and the local subnet traffic, so nothing is changed when you use the address list. On a bone to pick dont ever claim. thats an admin list when an admin list implies a few IPs that the admiin will use to access the router, I would name the list EVERYBODYINCLUDINGTHEDOGSBREAKFASTHASACCESSTOMYROUTER

I understand that I'm allowing all packets from any station/device on the ADMIN firewall list, and that the ADMIN firewall list includes 192.168.0.0/16 and 10.10.100.0/24.

While "admin" might not be a good name for it, it's not bad to allow all lan & wg traffic through, right?


Interface list should be used when you have two or more subnets that have similar needs in terms of firewall rules that are distinct from the LAN interface list.
An exception is we make an interface list of MANAGE often just for the one trusted subnet.
Address lists are best used when you have a few users or groups of users within a subnet or any of the previous as well as whole subnets that have the same firewall rules requirements.
IP address lists dont apply here, other than to say if a firewall rule involved a single subnet, you dont need interface list or firewall address list just use dst- or src- address and put down the subnet.

I think I get it.




I UNDERSTAND THAT ADDING "SRC-ADDRESS=192.168.2.0/24" IS MORE RESTRICTIVE BUT WOULD NOT INTERFERE WITH THAT I AM DOING, BUT WHY ADD IT?
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard
Good practice is to ONLY allow traffic needed. Unintended consequences occur when you get sloppy and leave either the dst or source of intended traffic. Its also very much clearer to any reader what you are doing and thus can follow the logic. Granted there are times where it may be acceptable/efficient or okay. In your case its okay, I would never do it as If add anything else to the router I have to remember then to close off access to wireguard because of the open ended rule.......... like I said not a preferred practice for good reason.

Understood, but where else would traffic be coming from? Perhaps another subnet in 192.168.0.0/16? Or, 10.10.100.0/24


I DON'T KNOW. 192.168.2.4 IS A RB5009 THAT I HAVE DOING NOTHING OTHER THAN PI-HOLE FOR NOW.
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
Makes no sense to me........??? I would disable it for now. Also I can send you my raspberry pi if you send me your rb5009. Fair trade! ;-)

Okay, so I disabled it and a Windows PC connected to the hEX stopped resolving URLs. Then I figured out the the hEX has it's DNS set to 10.0.0.2, which is the virtual ethernet address to the container running pi-hole. Hence, the need to route to it.

Such a tempting offer, thank you so much. But I need the RB5009 to help me learn.


Adding your 3:11pm hEX post:

(1) This doesnt look right!

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
192.168.2.2 netmask=24

Why did you put 10.0.0.2 ????????? Its not any interface on the router? Furthermore nothing to do with your pihole IP address either.

I set up the pi-hole server on the RB5009 at 10.0.0.2:

/container mounts
add dst=/etc/pihole name=etc_pihole src=/disk1/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/disk1/etc-dnsmasq.d

/interface bridge
add name=bridge1
add name=docker

/interface veth
add address=10.0.0.2/24 gateway=10.0.0.1 name=veth1

/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
    etc_pihole,dnsmasq_pihole root-dir=disk1/pihole

/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/container envs
add key=TZ name=pihole_envs value=America/New_York
add key=WEBPASSWORD name=pihole_envs value=mikrotik
add key=DNSMASQ_USER name=pihole_envs value=root


/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge1 interface=ether1
add bridge=docker interface=veth1


On the ax3:

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
192.168.2.2 netmask=24

(2) What the heck is this router for........... there is no 10.0.0.0 network anywhere on your interface....... I suspect it has something to do with DNS and RB again. As I said, this thing is a cancerous boil that should be excised until we get the basic stuff working!!!
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

I've changed the DNS server used by the hapax3 to 192.168.2.2

But, I don't know what to change the DNS server entry on the hEX. I could change it to 1.1.1.1, but I'd like to user the pi-hole on the RB5009.

The eventual goal is to swap the RB5009 in for the hEX and have the RB5009 be the main router and run pi-hole.

Okay, I've done by best, so please please please bare with me as this has gotten a little overwhelming.

Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Tue Jan 31, 2023 11:53 pm

No worries,,,,,,,, baby steps :-)

NO!, you do not want all devices and users to be able to have full access to the router ( INPUT CHAIN )
You only want the admin to be able to access the router for configuration purposes.

Typically this is done by
add chain=input action=accept in-interface-list=MANAGE ( Optional is src-address-list=Authorized, in the common case where the in-interface list includes other people than the admin)

the source address-list=Authorized is typically

add ip-address=Admin_desktop list=Authorized
add ip-address=Admin_laptop_wired list=Authorized
Add ip-address=Admin_laptop_wifi list=Authorized
add ip-address=Admin_iphone list=Authorized
add ip-adress=Admin_wireguard_laptop list=Authorized
add ip-address=Admin_wirguard_iphone list=Authorized

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Correct in that sometimes USERS need access to the router for certain SERVICES, common ones are DNS, NTP and UPNP...............

So typically we have additional rules before the drop rules
add chain=forward action=accept in-interface-list=LAN dst-port=53,123 protocol=tcp comment="user access to dns/ntp services"
add chain=forward action=accept in-interface-list=LAN dst-port=53 protocol=udp

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You really need to delete your pi-hole setup i dont think its done correctly and the way you have it doing routes is going to interfere with wireguard.
Typically you should be redirecting (dst-nat) to pihole not ROUTING.........

Step1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
192.168.2.2 netmask=24

Step2
input chain rules just before the drop rule.......
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp


Step3
forward chain rules are sometimes required but in your case all local users are within the same subnet and WG users have access to the local subnet already.

Step4
Dst Nat rules
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!192.168.2.4 dst-port=53 protocol=tcp to-addresses=192.168.2.4
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!192.168.2.4 dst-port=53 protocol=udp to-addresses=192.168.2.4


Src Nat Rule NOTE YOU ALREADY HAVE THIS RULE IN PLACE SO GOOD TO GO!!!!
Hairpin Rule for Server Subnet users
add chain=srcnat action=masquerade dst-address=192.168.2.0/24 src-address=192.168.2.0/24
Src Nat rules


+ GET RID OF ROUTE you have


++++++++++++++++++++++
Finally keep in mind your pi-hole is easily defeated by savvy users................... Much work for perhaps no gain!!
Last edited by anav on Sun Dec 10, 2023 5:24 pm, edited 1 time in total.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 10:10 am

Okay, I have implemented many/most of your recommendations. I have not implemented the restrictions on access to the router, mainly because I don't understand. Specifically, if I set an INPUT CHAIN rule to only allow devices on an ADMIN interface, won't all packets from non-admid interfaces such as LAN be blocked?

Here is the hEX and the hapax3 configs:

# feb/01/2023 02:59:49 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = HCxxxx
/interface bridge
add admin-mac=18:xxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface vlan
add disabled=yes interface=ether2 name=TEST-VLAN-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=4w2d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
[DELETED]
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=172.16.0.1/24 interface=TEST-VLAN-10 network=172.16.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.100 mac-address=78:xxxxx server=defconf
add address=192.168.2.102 mac-address=xxxx server=defconf
add address=192.168.2.101 mac-address=78:xxxxx server=defconf
add address=192.168.2.103 mac-address=A0:xxxxx server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
    192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6w cache-size=65536KiB servers=\
    1.1.1.1
/ip firewall address-list
add address=xxxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin
/ip firewall filter
add action=accept chain=input disabled=yes log=yes src-address=192.168.1.1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input log=yes src-address-list=admin
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
    "Allow local subnet traffic to WG peers" out-interface=212-Wireguard
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" dst-address-list=dynamic-WANIP \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
    192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
/ip route
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name="212 Hex"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/tool mac-server mac-winbox
set allowed-interface-list=LAN

# feb/01/2023 02:58:54 by RouterOS 7.7
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDxxxxx
/interface bridge
add admin-mac=48:Axxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="To hEX" poe-out=off
set [ find default-name=ether3 ] comment=TV
set [ find default-name=ether4 ] comment=TV
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-n .skip-dfs-channels=all \
    .width=20/40mhz configuration.mode=ap .ssid=Upstairs5g-0F0493 disabled=no \
    security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=all \
    .width=20/40mhz configuration.mode=ap .ssid=Upstairs-2G-0F0494 disabled=\
    no security.authentication-types=wpa2-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL-JRS
add name=TRUSTED
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip dns
set allow-remote-requests=yes query-server-timeout=5s servers=192.168.2.2
/ip dns static
add address=192.168.2.5 comment=defconf name=router.lan
/ip firewall filter
[DELETED DISABLED RULES]

/ip firewall nat
[DELETED DISABLED RULES]

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.2 routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-name=America/New_York
/system identity
set name=hAP-Ax3
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.2.2
/tool graphing interface
add interface=wifi2
add
add interface=bridge
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-interface=ether3 memory-limit=1000KiB
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 2:39 pm

Correct, the idea is

a. to allow only the admin access to the router (input chain is too the router) for CONFIG PURPOSES.........
add chain=input action=accept in-interface-list=MANAGE source-address-list=Authorized

where Authorized is a firewall address list ex.
add ip-address=Admin_desktop list=Authorized
add ip-address=Admin_laptop_wired list=Authorized
add ip-address=Admin_laptop_wifi list=Authorized
add ip-address=Admin_ipad_wifi list=Authorized
add ip-address=Admin_iphone_WirequardRemote list=Authorized
add ip-address=Admin_laptop_WirequardRemote list=Authorized


THEN
b. add LAN users for the access they require which is typically only DNS services, sometimes NTP and rarely upnp.

Hence why you should have something like
add chain=input action=accept in-interface-list=MANAGE OR
add chain=input action=accept in-interface-list=MANAGE src-address-list=Authorized ( in case the MANAGE list includes a subnet with many users besides admin )
add chain=input action=accept in-interface-list=LAN dst-port=53,123 protocol=tcp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=drop comment="drop all else
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 2:51 pm

AX3
Remove the following entries in orange/yellow

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL-JRS

add name=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip dns
set allow-remote-requests=yes query-server-timeout=5s servers=192.168.2.2
/ip dns static
add address=192.168.2.5 comment=defconf name=router.lan

/ip firewall filter
[DELETED DISABLED RULES]

/ip firewall nat
[DELETED DISABLED RULES]

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6


/tool graphing interface
add interface=wifi2
add { another one of those empty entries }
add interface=bridge
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool mac-server
set allowed-interface-list=TRUSTED Change this to NONE.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 2:57 pm

I understand what you wrote, but I've been working on solidifying my understanding of firewall chains and it differs from what you wrote.

When I read things like this:

https://tldp.org/HOWTO/IPCHAINS-HOWTO-4.html


I am left thinking that the INPUT CHAIN decides the fate of all inbound packets. That is, an INPUT CHAIN is required to ALLOW packets in order for the packets to be processed by the FORWARD CHAIN rules.

Sounds like I am mistaken, and that the INPUT and FORWARD chains work independently. That is, even if a packet is denied at an INPUT CHAIN rule, it will still be processed by the FORWARD rules.

Is any of this on track?
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 3:14 pm

All changes made except:

1) I don't see the empty ADD in TOOL GRAPHING INTERFACE

2) MAC SERVER -- I thought it would be nice to have another way in


AX3
Remove the following entries in orange/yellow

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL-JRS

add name=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
/ip address
add address=192.168.2.5/24 comment=defconf interface=bridge network=\
192.168.2.0
/ip dns
set allow-remote-requests=yes query-server-timeout=5s servers=192.168.2.2
/ip dns static
add address=192.168.2.5 comment=defconf name=router.lan

/ip firewall filter
[DELETED DISABLED RULES]

/ip firewall nat
[DELETED DISABLED RULES]

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6


/tool graphing interface
add interface=wifi2
add { another one of those empty entries }
add interface=bridge
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool mac-server
set allowed-interface-list=TRUSTED Change this to NONE.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 3:16 pm

HEX.......
Step 1. Ensure the IP address your IPHONE gets from the AX is static/fixed and for that matter any device the admin uses to access the router for config purposes......... This is done from the Leases

Step 2. Create a firewall address list (called Authorized) of all possible Admin IP addresses, Wired and wired, desktop, laptop, ipad, iphone and remote connections via iphone, desktop as well.


# feb/01/2023 02:59:49 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3

/interface wireguard peers { we will test connecting via iphone using WG to connect and the IOS app to configure router :-)))) }
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
interface=212-Wireguard public-key=\
"xxxxxx="


/ip firewall address-list { you fill in the ip addresses below for desktop, laptop, ipad, iphone on the local LAN wired or wifi }
add address=xxxxx.dyndns.org list=dynamic-WANIP
add address=fixedIP-adminDesktop list=Authorized
add address=fixedIP-adminLaptop-wired list=Authorized
add address=fixedIP-adminLaptop-wifi list=authorized
add address=fixedIP-adminIPHONE-wifi list=Authorized
add address=10.10.100.9 list=Authorized { iphone wg tunnel then IOS app to config }
add address=192.168.0.0/16 list=admin REMOVE
add address=10.10.100.0/24 list=admin REMOVE
/ip firewall filter
add action=accept chain=input disabled=yes log=yes src-address=192.168.1.1 (REMOVE)
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
dst-port=51820 protocol=udp
add action=accept chain=input log=yes src-address-list=Authorized
add action=accept chain=input in-interface-list=MANAGE src-address-list=AUTHORIZED
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp

add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard src-address=192.168.2.0/24
add action=drop chain=forward
/ip firewall mangle WHY OH WHY IS THIS STILL HERE ???????????????????????
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" dst-address-list=dynamic-WANIP \
new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24

/ip firewall nat ( GET RID OF THE MANGLE reference NOT NEEDED )
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
protocol=tcp to-addresses=192.168.2.176

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 3:22 pm

I understand what you wrote, but I've been working on solidifying my understanding of firewall chains and it differs from what you wrote.

When I read things like this:

https://tldp.org/HOWTO/IPCHAINS-HOWTO-4.html


I am left thinking that the INPUT CHAIN decides the fate of all inbound packets. That is, an INPUT CHAIN is required to ALLOW packets in order for the packets to be processed by the FORWARD CHAIN rules.

Sounds like I am mistaken, and that the INPUT and FORWARD chains work independently. That is, even if a packet is denied at an INPUT CHAIN rule, it will still be processed by the FORWARD rules.

Is any of this on track?
YOu really need to attempt to understand how MT does it. There is a packet flow diagram which is excellent and a puzzle LOL.
https://help.mikrotik.com/docs/display/ ... n+RouterOS

Chains have different functions.
INPUT CHAIN = TO ROUTER (from LAN or from WAN), aka to ROUTER SERVICES........
FORWARD CHAIN = THROUGH ROUTER wan to lan, lan to lan, lan to wan.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 3:43 pm

I think the problem I am having with the iOS Mikrotik App is related to the hairpin forwarding or Wireguard routing.

When the iPhone is not connected via wifi, and does have a WG tunnel activated, the MT APP works just fine.

With wifi connection, it does not work (regardless of whether WG tunnel from iPhone to hEX is active).

This applies to connecting to either the hEX or the hapax3.

I tried disabling WG entirely on the hEX but doing so did not make it work while connected via wifi.

I tried disabling the hairpin marking and masq but doing so did not make it work.

The only reason I'm still wondering if this is the right track is because it looks like the iPhone is communicating with the hEX using WG.

I have restarted the iPhone and made sure that the VPN was off. I even deleted all the VPN entries on the phone.

I Made iPhone 192.168.2.141 static (with comment).

I Created firewall address list named AUTHORIZED but I included 192.168.0.0/16 and 10.10.100.0/24 (I know, I know -- too broad, but I just want it for testing purposes).

I need the mangle and hairpin in order to access devices inside. I don't remember off-hand what, but I tried without and it doesn't work. Let's leave that for now.

Tried it and it still doesn't work.


HEX.......
Step 1. Ensure the IP address your IPHONE gets from the AX is static/fixed and for that matter any device the admin uses to access the router for config purposes......... This is done from the Leases

Step 2. Create a firewall address list (called Authorized) of all possible Admin IP addresses, Wired and wired, desktop, laptop, ipad, iphone and remote connections via iphone, desktop as well.


# feb/01/2023 02:59:49 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3

/interface wireguard peers { we will test connecting via iphone using WG to connect and the IOS app to configure router :-)))) }
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
interface=212-Wireguard public-key=\
"xxxxxx="


/ip firewall address-list { you fill in the ip addresses below for desktop, laptop, ipad, iphone on the local LAN wired or wifi }
add address=xxxxx.dyndns.org list=dynamic-WANIP
add address=fixedIP-adminDesktop list=Authorized
add address=fixedIP-adminLaptop-wired list=Authorized
add address=fixedIP-adminLaptop-wifi list=authorized
add address=fixedIP-adminIPHONE-wifi list=Authorized
add address=10.10.100.9 list=Authorized { iphone wg tunnel then IOS app to config }
add address=192.168.0.0/16 list=admin REMOVE
add address=10.10.100.0/24 list=admin REMOVE
/ip firewall filter
add action=accept chain=input disabled=yes log=yes src-address=192.168.1.1 (REMOVE)
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
dst-port=51820 protocol=udp
add action=accept chain=input log=yes src-address-list=Authorized
add action=accept chain=input in-interface-list=MANAGE src-address-list=AUTHORIZED
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp

add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard src-address=192.168.2.0/24
add action=drop chain=forward
/ip firewall mangle WHY OH WHY IS THIS STILL HERE ???????????????????????
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" dst-address-list=dynamic-WANIP \
new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24

/ip firewall nat ( GET RID OF THE MANGLE reference NOT NEEDED )
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
protocol=tcp to-addresses=192.168.2.176

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 4:20 pm

Wow! Holy cow did I misunderstand!

I got it now. And the rules make so much more sense now.

As always, you are invaluable.

Thank you.
I understand what you wrote, but I've been working on solidifying my understanding of firewall chains and it differs from what you wrote.

When I read things like this:

https://tldp.org/HOWTO/IPCHAINS-HOWTO-4.html


I am left thinking that the INPUT CHAIN decides the fate of all inbound packets. That is, an INPUT CHAIN is required to ALLOW packets in order for the packets to be processed by the FORWARD CHAIN rules.

Sounds like I am mistaken, and that the INPUT and FORWARD chains work independently. That is, even if a packet is denied at an INPUT CHAIN rule, it will still be processed by the FORWARD rules.

Is any of this on track?
YOu really need to attempt to understand how MT does it. There is a packet flow diagram which is excellent and a puzzle LOL.
https://help.mikrotik.com/docs/display/ ... n+RouterOS

Chains have different functions.
INPUT CHAIN = TO ROUTER (from LAN or from WAN), aka to ROUTER SERVICES........
FORWARD CHAIN = THROUGH ROUTER wan to lan, lan to lan, lan to wan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 6:00 pm

YOu do not need to mangle for hairpin nat.
All you need to do is the two steps you have already established

a. the extra source nat rule ( just remove the mangle ref)
b. a destination nat rule in the format dst-address-list=dynamic-WANIP

DONE!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This should work.
IP phone connects to hapac via wifi.
since you have added this fixed static LANIP address to the authorized access list then you should be able to access the hex for configuration purposes.
In other words, via the iphone you should be able to
a. access the internet via the hex
b. access other users/devices in the same subnet, like from the browser.
c. reach a port forwarded server via either its LANIP or via the dynamic WANIP.........
d. access the hex configuration using IOS APP.

What is a little less clear is accessing the config on hapax, but since everything points to the hex gateway IP, this should also be permitted.

++++++++++++++++++++++++++++++++++++

When you wireguard from the phone (cellular) to the HEX, a tunnel is established. your iphone has a fixed IP 10.10.100.9, for example and since this is on your AUTHORIZED list you should be able to view the hex config via the ios app, as well as that of the hapax.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 7:06 pm

That's exactly what I was thinking: The iPhone is connected directly to the hapax3 via wifi so why shouldn't it be allowed to login?

So I ran some more tests.

On the hapax3 I disabled all the ethernet ports.

The only access is via wifi.

I then added a rule to allow the ip that my phone was manually set to (192.168.2.141) to allow.

Still doesn't work.

I'm starting to think there's something screwy with in my phone or with the MT App.

I can ping from the phone to the hapax3 just fine, and I see the icmp packets being logged.

But when I click CONNECT in the app, nothing happens. Nothing logged. As if the packets never leave the iPhone or never hit the hapax3.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Wed Feb 01, 2023 8:33 pm

You should need no rules on the AX, its not routing its only a switch and its on the LAN, so you should be able to reach it.
Before you kill yourself i will try my setup later on today. Take a break LOL
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Thu Feb 02, 2023 11:27 am

I've isolated the problem to my iPhone.

I grabbed my wife's iphone and installed MT APP, connected to the same wifi as I've been connecting to, and it works great.

So, something got screwy with the networking in my iPhone.

So i reset the iPhone's network settings. Still no good.

Then I went into SETTINGS and scrolled down into the list of app, found Mikrotik and discovered that the switch for LOCAL NETWORK was in the off position. Slid it to on and now it works.

Now, I've been around for a long long time, and I know full well about when a user says 'I didn't touch anything' but I've never seen this before. Another unsolved mystery.

Whew. Sorry to bother you with this.

It did provide the opportunity to greatly improve my configs and my understanding!

Thank you.

Screenshot 2023-02-02 at 4.21.21 AM.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MT iOS winbox app not connecting

Thu Feb 02, 2023 3:17 pm

Awesome! Yeah iphone ISMs suck, but who cares, you learned tons and it was fun.
 
ABerloff
just joined
Posts: 1
Joined: Sat Dec 09, 2023 10:42 pm

Re: MT iOS winbox app not connecting

Sat Dec 09, 2023 10:43 pm

Dear Josephny, thank you! I had the same issue with the same resolution) You save me, thx!
Last edited by ABerloff on Sat Dec 09, 2023 10:44 pm, edited 1 time in total.
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: MT iOS winbox app not connecting

Mon Dec 18, 2023 4:42 pm

Hi @Aberloff

Thank you so much for the recognition.

But, it was really @anav who, with his super generous, tough-style help who gets the thank you -- from both of us.

Who is online

Users browsing this forum: Bing [Bot], bpwl, Google [Bot], GoogleOther [Bot], jookraw, st3lios and 79 guests